Sunday, 25 August 2019

TACACS (AAA) Configuration in Juniper and Cisco(IOS-XR,IOS-XE,IOS,NX-OS)

Configuring Juniper and Cisco to authenticate (also including authorization and accounting) to Tacacs+ server

10.10.10.10 - Tacacs+ AAA server
20.20.20.2 -  Loopback IP

Juniper:


system {
    host-name JUNIPER-ROUTER1;
       }
    authentication-order [ tacplus password ];
    root-authentication {
        encrypted-password "$r00tp44sw0rdh3r3/1"; ## SECRET-DATA
    }
    tacplus-server {
        10.10.10.10 {
            secret "$4ut0g3n3r4t3t4c4c5p455w0rd1"; ## SECRET-DATA
            single-connection;
            source-address 20.20.20.2;
        }
       }
    accounting {
        events interactive-commands;
        destination {
            tacplus {
                server {
                    10.10.10.10 {
                        secret "$4ut0g3n3r4t3t4c4c5p455w0rd2"; ## SECRET-DATA
                        single-connection;
                        source-address 20.20.20.2;
                    }
           }

firewall {
    family inet {
 filter FIREWALL-RE {
            /* TRUSTED TACACS */
            term TACACS-ACL {
                from {
                    source-address {
                        10.10.10.10/32;
                     
                    }
                    protocol tcp;
                    port tacacs;
                }
                then {
                    count TACACS-ACL;
                    accept;
                }
            }     

In set format:

set system host-name JUNIPER-ROUTER1
set system authentication-order tacplus
set system authentication-order password
set system root-authentication encrypted-password "$r00tp44sw0rdh3r3/1"
set system tacplus-server 10.10.10.10 secret "$4ut0g3n3r4t3t4c4c5p455w0rd1"
set system tacplus-server 10.10.10.10 single-connection
set system tacplus-server 10.10.10.10 source-address 20.20.20.2
set system accounting destination tacplus server 10.10.10.10 secret "$4ut0g3n3r4t3t4c4c5p455w0rd2"
set system accounting destination tacplus server 10.10.10.10 single-connection
set system accounting destination tacplus server 10.10.10.10 source-address 20.20.20.2


set firewall family inet filter FIREWALL-RE term TACACS-ACL from source-address 10.10.10.10/32
set firewall family inet filter FIREWALL-RE term TACACS-ACL from source-address 20.20.20.2/32
set firewall family inet filter FIREWALL-RE term TACACS-ACL from protocol tcp
set firewall family inet filter FIREWALL-RE term TACACS-ACL from port tacacs
set firewall family inet filter FIREWALL-RE term TACACS-ACL then count TACACS-ACL
set firewall family inet filter FIREWALL-RE term TACACS-ACL then accept



Cisco:

IOS:

aaa authentication login VTY group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host 10.10.10.10 single-connection
tacacs-server key 7 1234567890
ip tacacs source-interface Loopback0


IOS-XE:
aaa authentication login VTY group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

tacacs server TACACS-SERVER
 address ipv4 10.10.10.10
 key 7 1234567890

ip tacacs source-interface Loopback0


NEXUS OS
aaa authentication login default group tacacs
aaa authentication login console group tacacs
aaa authorization config-commands default group tacacs local
aaa authorization commands default group tacacs local
aaa accounting default group tacacs

tacacs+ distribute
ip tacacs source-interface mgmt0
tacacs-server host 10.10.10.10 key 7 "tacacs_pass"
aaa group server tacacs+ tacacs
    server 10.10.10.10


IOS-XR
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands VTY start-stop group tacacs+
aaa authorization exec VTY group tacacs+ none
aaa authorization commands VTY group tacacs+ none
aaa authentication login VTY group tacacs+ line local

tacacs source-interface Loopback0 vrf default
tacacs-server host 10.10.10.10 port 49
 key 7 1234567890123456789
at No comments:

Static Route Configuration Examples in Cisco (IOS-XR) and Juniper for BGP aggregated prefix advertisements


In order to advertise the aggregated routes (and default routes) via BGP, it should exists in the routing table, that's the #1 rule. If these summarized routes (/16) are not existing and only smaller subnets are learned via the IGP(e.g. OSPF,IS-IS), then configure static route and next hop e.g. Null0.

Juniper:

routing-options {
    graceful-restart;
    rib inet6.0 {
       static {
          route fd41:c8be:2153:f400::/64 discard;
          route ::0/0 {
                discard;
                no-install;
    static {
        route 172.16.0.0/16 discard;
        route 0.0.0.0/0 {
            discard;
            no-install;

In display set format:
set routing-options graceful-restart
set routing-options rib inet6.0 static route fd41:c8be:2153:f400::/64 discard
set routing-options rib inet6.0 static route ::0/0 discard
set routing-options rib inet6.0 static route ::0/0 no-install

set routing-options static route 172.16.0.0/16 discard
set routing-options static route 0.0.0.0/0 discard
set routing-options static route 0.0.0.0/0 no-install


Cisco:

router static
 address-family ipv4 unicast
  0.0.0.0/0 Null0
  172.16.0.0/16 Null0
 !
 address-family ipv6 unicast
  ::/0 Null0
  fd41:c8be:2153:f400::/64 Null0


In formal:
router static address-family ipv4 unicast 172.16.0.0/16 Null0
router static address-family ipv4 unicast 0.0.0.0/0 Null0
router static address-family ipv6 unicast ::/0 Null0
router static address-family ipv6 unicast fd41:c8be:2153:f400::/64 Null0


at No comments:

Originating BGP advertisements and BGP community tagging (Juniper and Cisco(IOS-XR) configuration)

Originating BGP advertisement can be configured to any iBGP peer router. Here's the sample configuration of originating BGP routes and community tagging in Cisco and Juniper.






Assuming these are the summarized prefixes that you want to advertise via BGP.
111.111.0.0/16
222.222.0.0/16


Juniper:

 routing-options {
 graceful-restart;
  router-id 1.1.1.1;
    autonomous-system 11111;

protocols {
 bgp {
        group RR-IBGP {
            type internal;
            description RR-IPv4;
            local-address 192.168.100.6;
            family inet {
                unicast;
            }
            authentication-key "$1$N3tBioBwfdFsFVwgoGDh.3C0oL"; ## SECRET-DATA
            export bgp-statement;
            neighbor 192.168.100.5 {
                description iBGP to Route Reflector;
            }

policy-statement bgp-statement {
     term SITE1 {
            from {
                route-filter 111.111.0.0/16 exact;
                route-filter 222.222.0.0/16 exact;
   }
            then {
                community add SITE1;
              accept;
            }


 community SITE1 members 12345:111;


In display set:
set routing-options graceful-restart


set routing-options router-id 1.1.1.1
set routing-options autonomous-system 11111

set protocols bgp group RR-IBGP type internal
set protocols bgp group RR-IBGP description RR-IPv4
set protocols bgp group RR-IBGP local-address 192.168.100.6
set protocols bgp group RR-IBGP family inet unicast
set protocols bgp group RR-IBGP authentication-key "$1$N3tBioBwfdFsFVwgoGDh.3C0oL"
set protocols bgp group RR-IBGP export bgp-statement
set protocols bgp group RR-IBGP neighbor 192.168.100.5 description iBGP to Route Reflector

set policy-options policy-statement bgp-statement term SB from route-filter 111.111.0.0/16 exact
set policy-options policy-statement bgp-statement term SB from route-filter 222.222.0.0/16  exact
set policy-options policy-statement bgp-statement term SITE1 then community add SB
set policy-options policy-statement bgp-statement term SITE1 then accept

set policy-options community SITE1 members 12345:111


Cisco:

 prefix-set SITE1
 111.111.0.0/16,
 222.222.0.0/16
end-set

route-policy bgp-statement
 if destination in SITE1 then
  set community (12345:111)
  endif
end-policy



router bgp 11111
 nsr
 bgp router-id 1.1.1.1
 bgp graceful-restart
  address-family ipv4 unicast
  network 111.111.0.0/16
  network 222.222.0.0/16

 neighbor-group RR-IBG
  remote-as 11111
  password encrypted 2185073C7B74154C
  description RR IBGP GROUP IPV4
  update-source Loopback0
  address-family ipv4 unicast
   soft-reconfiguration inbound
 !
 neighbor 192.168.100.5
  use neighbor-group RR-IBG
  description RR-IPv4
  address-family ipv4 unicast
   route-policy iBGP-policy-in in
   route-policy bgp-statement out


 In Formal:

prefix-set SITE1
 111.111.0.0/16,
 222.222.0.0/16,
end-set

route-policy bgp-statement
 if destination in SITE1 then
  set community (12345:111)
  endif
end-policy


router bgp 11111 nsr
router bgp 11111 bgp router-id 1.1.1.1
router bgp 11111 bgp graceful-restart
router bgp 11111 address-family ipv4 unicast
router bgp 11111 address-family ipv4 unicast network 111.111.0.0/16
router bgp 11111 address-family ipv4 unicast network 222.222.0.0/16
router bgp 11111 neighbor-group RR-IBG
router bgp 11111 neighbor-group RR-IBG remote-as 11111
router bgp 11111 neighbor-group RR-IBG password encrypted 2185073C7B74154C
router bgp 11111 neighbor-group RR-IBG description RR IBGP GROUP IPV4
router bgp 11111 neighbor-group RR-IBG update-source Loopback0
router bgp 11111 neighbor-group RR-IBG address-family ipv4 unicast
router bgp 11111 neighbor-group RR-IBG address-family ipv4 unicast soft-reconfiguration inbound
router bgp 11111 neighbor 192.168.100.5
router bgp 11111 neighbor 192.168.100.5 use neighbor-group RR-IBG
router bgp 11111 neighbor 192.168.100.5 description RR-IPv4
router bgp 11111 neighbor 192.168.100.5 address-family ipv4 unicast
router bgp 11111 neighbor 192.168.100.5 address-family ipv4 unicast route-policy iBGP-policy-in in
router bgp 11111 neighbor 192.168.100.5 address-family ipv4 unicast route-policy bgp-statement out

at No comments:

Tuesday, 20 August 2019

FIxing IOU Keygen Error (Running IOS on Linux in Eve-NG)



If you keep getting this error when generating key as license for  running IOL or IOS On Linux, (also called IOU or IOS On Unix) in EVE-NG

darwin@eve-ng:/$ cd /opt/unetlab/addons/iol/bin

darwin@eve-ng:/opt/unetlab/addons/iol/bin$ python keygen.py
*********************************************************************
Cisco IOU License Generator - Kal 2011, python port of 2006 C version
hostid=bada0c0f, hostname=eve-ng, ioukey=bada0e51
Traceback (most recent call last):
  File "./keygen.py", line 18, in <module>
    md5input=iouPad1 + iouPad2 + struct.pack('!i', ioukey) + iouPad1
struct.error: 'i' format requires -2147483648 <= number <= 2147483647

Step 1:
Solution: Modify the python script, change i to L
From: md5input=iouPad1 + iouPad2 + struct.pack('!i', ioukey) + iouPad1
To:     md5input=iouPad1 + iouPad2 + struct.pack('!L', ioukey) + iouPad1

Run again:
darwin@eve-ng:/opt/unetlab/addons/iol/bin$ python keygen.py
*********************************************************************
Cisco IOU License Generator - Kal 2011, python port of 2006 C version
hostid=bada0c0f, hostname=eve-ng, ioukey=bada0e51

Step 2: Add the following text to ~/.iourc:
[license]
eve-ng = f2630dfba88daedd;

You can disable the phone home feature with something like:
 echo '127.0.0.127 xml.cisco.com' >> /etc/hosts

Step 2: Input the license key in "iourc" file
vi iourc

[license]
eve-ng = f2630dfba88daedd;


Step 3: Test IOL

darwin@eve-ng:/opt/unetlab/addons/iol/bin$ LD_LIBRARY_PATH=/opt/unetlab/addons/iol/lib /opt/unetlab/addons/iol/bin/i86bi-linux-l3-adventerprisek9-15.4.2T.bin 1
***************************************************************
IOS On Unix - Cisco Systems confidential, internal use only
Under no circumstances is this software to be provided to any
non Cisco staff or customers.  To do so is likely to result
in disciplinary action. Please refer to the IOU Usage policy at
wwwin-iou.cisco.com for more information.
***************************************************************

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706


Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.4(2)T, DEVELOPMENT TEST SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 27-Mar-14 01:08 by prod_rel_team


This product contains cryptographic features and is subject to United
--omitted lines --
at No comments:

Configuring Port Monitoring in Cisco Catalyst 4948 (via network optical tap)


SPAN mirrors receive or transmit (or both) traffic on one or more source ports to a destination port for analysis.
A copy of the packets received or sent by the source interfaces are sent to the destination interface

Prerequisites:

Need to understand how optical tap works, here's some interesting information (ctto)
Link:https://community.fs.com/blog/do-you-know-about-optical-tap-test-access-point-cassettes.html



https://en.wikipedia.org/wiki/Network_tap#/media/File:Optical-tap-schema-wiki.gif




Setup:
Cisco Catalyst 4948
2 Routers connected via Optical Tap

Network Diagram:


:
Step 1: Connect physically the links as per above diagram.  Connect UTP cable from switch to PC's ethernet port

Step 2: Configure 4948 Switch
Cisco 4948 Configuration:
4948#conf t
interface TenGigabitEthernet1/49
 description 10GE Conn to Router1 (via optical tap)
 switchport access vlan 100
 switchport mode access
 ip access-group dhcp-traffic in
 load-interval 30
 udld port disable
 no cdp enable
 no shutdown
!
interface TenGigabitEthernet1/50
 description 10GE Conn to Switch1 (via optical tap)
 switchport access vlan 200
 switchport mode access
 ip access-group dhcp-traffic in
 udld port disable
 no cdp enable
 no shutdown

 interface GigabitEthernet1/47
 description GE Connection to RemoteServer
 load-interval 30
 spanning-tree bpdufilter enable
 no shutdown

 monitor session 15 source interface Te1/49 - 50
monitor session 15 destination interface Gi1/47
monitor session 15 filter packet-type good rx
monitor session 15 filter ip access-group dhcp-traffic


[Optional]
If want to filter by traffic, e.g DHCP, you can configure an ACL and apply in interface accordingly
 ip access-list extended dhcp-traffic
 permit udp any eq domain any
 permit udp any any eq domain
 permit udp any range bootps bootpc any range bootps bootpc
 deny   ip any any


Step 3: Verify configuration and traffic. Status should be "monitoring"

4948-Switch#show monitor session all
Session 15
----------
Type                   : Local Session
Source Ports           :
    Both               : Te1/49-52
Destination Ports      : Gi1/47
    Encapsulation      : Native
          Ingress      : Disabled
         Learning : Disabled
Filter Pkt Type        :
    RX Only       : Good
IP Access-group        : dhcp-traffic


4948-Switch#show int gi1/47
GigabitEthernet1/47 is up, line protocol is down (monitoring)
  Hardware is Gigabit Ethernet Port, address is 649e.f3ec.0b6e (bia 649e.f3ec.0b6e)
  Description: GE Connection to RemoteServer
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, link type is auto, media type is 10/100/1000-TX
  input flow-control is on, output flow-control is on
  Auto-MDIX on (operational: on)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 3059552617
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  30 second input rate 0 bits/sec, 0 packets/sec
  30 second output rate 0 bits/sec, 0 packets/sec

Step 4: If confirmed have traffic, open any packet analyzer like "Wireshark" or "tcpdump" accordingly.
at No comments:

Monday, 19 August 2019

Isolating IGP (OSPF & ISIS) traffic by increasing Metric in IOS-XR routers

@OSPF

Set the max-metric in OSPF and OSPFv3 in IOS-XR devices:

RP/0/RSP0/CPU0:IOS-XR(config)#router ospf 65555
 max-metric router-lsa external-lsa
 !
router ospfv3 65555
 stub-router router-lsa v6-bit
  always

Save the changes:
RP/0/RSP0/CPU0:IOS-XR(config)#commit

Verify:
show ospf database

@ISIS

Increase ISIS metric

router isis XXXX
set-overload-bit

Save the changes:
RP/0/RSP0/CPU0:IOS-XR(config)#commit

Verify:
show isis database


at No comments:

Wednesday, 10 July 2019

Sample Network Scanning of Routers using Nmap


Nmap, or short for Network Mapper, is a free and pen-source tool for scanning vulnerabilities and can also be used for network discovery. It can help identify what devices are running on their systems, discovering hosts that are available and the services they running. To see the open ports or running daemon/services in your routers or switches, you can use nmap to test your routers.

where: 192.168.1.1 is your router IP
Sample1: To scan using default safe scripts
nmap -sV -sC 192.168.1.1

Sample result:
[networkbio@server ~]$ nmap -sV -sC 192.168.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-10 15:12 +08
Nmap scan report for 192.168.1.1
Host is up (0.41s latency).
All 1000 scanned ports on 192.168.1.1 are closed

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.49 seconds

Sample2: Reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers. If verbosity is set, the offered algorithms are each listed by type.

[networkbio@server ~]$ nmap --script ssh2-enum-algos -p22 192.168.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-10 15:06 +08
Nmap scan report for 192.168.1.1
Host is up (0.0017s latency).
PORT   STATE SERVICE
22/tcp open  ssh
| ssh2-enum-algos:
|   kex_algorithms (5)
|       ecdh-sha2-nistp521
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp256
|       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms (1)
|       ssh-rsa
|   encryption_algorithms (3)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|   mac_algorithms (3)
|       hmac-sha2-512
|       hmac-sha2-256
|       hmac-sha1
|   compression_algorithms (1)
|_      none

Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

Sample3: This script repeatedly initiates SSLv3/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphersuites and compressors that a server accepts.

[networkbio@server ~]$ nmap --script ssl-enum-ciphers -p 443 192.168.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-10 15:09 +08
Nmap scan report for 192.168.1.1
Host is up (0.0017s latency).
PORT    STATE  SERVICE
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds




at No comments:
Subscribe to: Posts (Atom)